SecretSifter: Live Credentials & Secrets Scanner

Detects secrets, API keys, and tokens in JS, JSON, XML, and HTML at runtime

SecretSifter is a runtime secrets scanner built for penetration testers, bug bounty hunters, and security engineers. It automatically intercepts and scans network traffic in the active tab — JavaScript files, JSON API responses, XML responses, HTML pages, and WebSocket frames — and flags exposed secrets such as: • API keys, Bearer tokens, JWT secrets and Encrypted CryptoJS blobs • Passwords and credentials in response bodies KEY FEATURES • T1 / T2 / T3 confidence tiers to separate real findings from noise • WebSocket scanning — intercepts both incoming and outgoing WS frames • CDN blocklist — skip known third-party libraries and analytics scripts automatically • Suppressed key names — silence app-specific noise with one click • Full findings report with severity badges (Critical / High / Medium / Low) • Export findings to JSON, CSV, or HTML report • Export scanned URL list (JS, JSON, HTML, XML, requests, WebSocket) • DevTools panel + popup — works however you prefer • Privacy-first — all findings stored locally in your browser; the only external call is an optional Google Maps API key validation probe sent directly to Google HOW TO USE IT 1. Enable scanning on a tab Open the target site, click the SecretSifter toolbar icon, toggle "Scanning: ON". The setting is per-domain and persists across reloads. 2. Browse the app Findings appear live as the page (and its lazy-loaded chunks) execute. Each finding shows the rule that fired, severity, masked value, source URL, and line number. 3. Triage findings • Popup — quick view of total count and severity breakdown; toggle masking, copy values, export. • DevTools panel — open DevTools, click the "SecretSifter" tab. Full table with rule/severity/status filters, search, JSON copy. • Full Report page — click the toolbar icon, then "Open Full Report". Sortable cards with positive/negative classification signals, per-finding edit (severity, tier, delete), and detailed export. 4. Export JSON, CSV, or standalone HTML report — available from the popup or report page. SETTINGS & CUSTOMIZATION Right-click the toolbar icon → "Options" (or open Settings from the popup): • CDN blocklist — domains whose URLs are ignored as findings (Google Fonts, Datadog, Segment, etc. preloaded) • Noise keys — common variable names that frequently cause false positives (preloaded, editable) • Custom rules — define your own regex patterns v1.1.2: • Added 11 additional vendor patterns • Detection accuracy improvements DESIGNED FOR SECURITY PROFESSIONALS Scanning is opt-in per tab. No accounts, no telemetry, no developer-controlled servers.